mirror_php/moodle
1
0
Fork 0
mirror of https://github.com/moodle/moodle.git synced 2025-04-13 04:22:07 +02:00
Code Issues Projects Releases Wiki Activity

MDL-47926 LTI: Fix missing sesskey checks and add content type headers to redirect

Browse Source
This commit is contained in:
Damyon Wiese 2014-10-28 17:24:35 +08:00 committed by Marina Glancy
parent 219ebf9bb4
commit c3a0452a5b
3 changed files with 11 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
mod/lti/locallib.php
View File

@ -275,7 +275,7 @@ function lti_register($toolproxy) {
$requestparams['tc_profile_url'] = $profileservice->parse_value('$ToolConsumerProfile.url');
// Add the return URL.
$returnurlparams = array('id' => $toolproxy->id);
$returnurlparams = array('id' => $toolproxy->id, 'sesskey'=>sesskey());
$url = new \moodle_url('/mod/lti/registrationreturn.php', $returnurlparams);
$returnurl = $url->out(false);

1
mod/lti/registration.php
View File

@ -32,6 +32,7 @@ $id = required_param('id', PARAM_INT); // Tool Proxy ID.
$toolproxy = $DB->get_record('lti_tool_proxies', array('id' => $id), '*', MUST_EXIST);
require_login(0, false);
require_sesskey();
$systemcontext = context_system::instance();
require_capability('moodle/site:config', $systemcontext);

11
mod/lti/registrationreturn.php
View File

@ -27,11 +27,12 @@ require_once('../../config.php');
require_once($CFG->dirroot.'/mod/lti/locallib.php');
$top = optional_param('top', 0, PARAM_INT);
$msg = optional_param('lti_msg', '', PARAM_RAW);
$err = optional_param('lti_errormsg', '', PARAM_RAW);
$msg = optional_param('lti_msg', '', PARAM_TEXT);
$err = optional_param('lti_errormsg', '', PARAM_TEXT);
$id = optional_param('id', 0, PARAM_INT);
// No guest autologin.
require_sesskey();
require_login(0, false);
$systemcontext = context_system::instance();
@ -40,6 +41,7 @@ require_capability('moodle/site:config', $systemcontext);
if (empty($top)) {
$params = array();
$params['sesskey'] = sesskey();
$params['top'] = '1';
if (!empty($msg)) {
$params['lti_msg'] = $msg;
@ -57,6 +59,7 @@ if (empty($top)) {
$html = <<< EOD
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<script type="text/javascript">
//<![CDATA[
top.location.href = '{$redirect}';
@ -70,11 +73,15 @@ top.location.href = '{$redirect}';
</body>
</html>
EOD;
// We always send the headers because they set the encoding.
send_headers('text/html; charset=utf-8', false);
echo $html;
} else if (!empty($msg) && !empty($err)) {
$params = array();
$params['sesskey'] = sesskey();
$params['top'] = '1';
if (!empty($err)) {
$params['lti_errormsg'] = $err;